Billboard.Js
CVE-2026-1513
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 37 npm packages depend on billboard.js (23 direct, 14 indirect)
Ecosystem-wide dependent count for version 3.18.0.
DescriptionCVE.org
billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding.
AnalysisAI
Cross-site scripting (XSS) in Billboard.js versions before 3.18.0 enables remote attackers to inject and execute arbitrary JavaScript through inadequately sanitized chart configuration options, affecting any application using the vulnerable library. The attack requires user interaction but can compromise confidentiality and integrity of affected web applications. No patch is currently available.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Billboard.Js. billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding.
RemediationAI
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
More in Billboard.Js
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-rpc5-pm7q-hjmp